On 03.07.20 01:13, Jeremy Banks wrote:
I am not confident all of our legacy apps can be configured for
non-standard ports; I would be in no way surprised if one or more of them
have the classic smtp ports hardcoded. Though, I will discuss that option
with my co-workers.
if those legacy apps are running in your internal network, no (big)
security issue should happen.
Is my understanding of the smtp(d)_tls_FOO options in my original message
correct? If so, what would it take to add a smtpd_tls_polcy_maps option
to allow per-client TLS settings?
afaik there's no smtpd_tls_polcy_maps, only smtp_tls_policy_maps that
instruct your outgoing smtp connections.
From: owner-postfix-us...@postfix.org On Behalf Of Max-Julian Pogner
Sent: Thursday, June 11, 2020 10:36 AM
To: postfix-users@postfix.org
Subject: Re: Checking my understanding of TLS-related settings, and a possible
feature request
well, as a quick-fix you could always start an additional smtpd service on
a non-standard port (by adding an appropriate line in master.cf) and
configure this additional smtpd in exception ways (by adding "-o
smtpd_tls_FOO" options to the additional smtpd service)
we use similar approach within few of our customers, where some legacy clients
use non-authenticated/non-encrypted SMTP for outgoing mail,
while port 25 from the world is NATted to alternative port, where
anti-spam measures like postscreen, blacklisting, and milters are
implemented.
however, we don't require strong encryption on port 25 because of reasons
mentioned in this and other threads.
example master.cf line (note leading whitespaces in the option lines):
:2525 inet n - y - - smtpd
-o smtpd_tls_protocols=BAR
-o smtpd_tls_mandatory_protocols=FOO
note that only one of these is really needed. Either smtp is not mandatory and
first directive is used, or it's not mandatory and the latter is.
Am 11.06.20 um 18:22 schrieb Jeremy Banks:
At my job, we use Postfix as our email setup. Recently, as part of a
security audit by one of our customers, we were told that our mail relays
must accept only TLSv1.2 when doing TLS, and not any prior versions.
I would say this is acceptable for ports with required encryption and
authentication, not for standard SMTP.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
